Phishing still wins because we keep solving the wrong problem
Twenty years of awareness training, and the click-through rate has barely moved. The lesson is not about users.
Every benchmark you have read says the same thing: between twelve and twenty per cent of users will click a well-crafted phishing email. That number has not meaningfully changed in two decades of intervention.
The honest reading is that we are solving the wrong problem. The interesting work is happening in the seconds after the click, not before it.
